Contents

Article Description

Never heard of the human firewall? The concept behind it is to build a persistent consciousness about information security in the minds of the information system's users so they won't make errors or misbehave when dealing with information. In this article, Thierry Wohnlich proposes an alternate view of information security awareness, a view that takes into consideration the reasons behind the need for awareness, and discusses the role of the individuals in relation to information technology.

Like this article? We recommend

Never heard of the human firewall? The concept behind it is to build
a persistent consciousness about information security in the minds of the
information system’s users so they won’t make errors or misbehave
when dealing with information. A good human firewall employee is one
who filters good security practices and rejects any others—much like a
network firewall only allows authorized traffic and rejects any other.

One radical way to build a strong human firewall is to get rid of all humans!
Although this might sound humorous, it is attempted every day when individuals
are removed from processes and replaced with systems or machines. Unfortunately
(or fortunately, depending on the point of view), the human is always standing
somewhere behind a process, system, or machine. Therefore it is generally
accepted that the only way to build a good human firewall is to raise
people’s awareness; to teach them good habits, to make them recognize bad
practices and change them into good practices.

NOTE

In this article, awareness is not differentiated from training or
education because the ultimate goal is the same: to transmit information and
make people act accordingly.

Humans are the foundation of all companies. As Symantec CEO John Thompson
said at a conference in August 2006, "An organization’s cybersecurity
is only as good as the people who manage and use it."

Is Security Awareness Needed?

Because users of Information Technology have, to some extent, the power to
alter the Information Systems they are using, they need to be aware of
Information Security and the relation with their daily activities. People write
books about how to build an efficient security awareness program, conferences
focuses on this subject, and some folks even write articles about it!

Before delving into this more deeply, you might ask why do users need
awareness in 2006? Why do users who are only required (as far as computer is
concerned) to know how to use a mouse and how to click icons need to be aware
about information security?

NOTE

When talking about security awareness for end users, security is primarily
restricted to the confidentiality of data, with integrity and availability as
secondary objectives.

There are two ways of looking at it:

An analogy: While driving a car, you do not need to know
how the engine works, yet you have the power to provoke accidents. So you are
required to know how and when to brake. As a computer user, you should know how
to avoid breaches and how to keep yourself on the correct path.

Be realistic: Security fails! Let’s be honest. Every
single service introduced since the emergence of the Internet has
vulnerabilities that need products to mitigate the risks. Those products also
have vulnerabilities that need patching to mitigate the risks... Quelle
rigolade!

One way or another, one fact remains: Although computer users can use more
and more services (and benefit from them), they are also more and more exposed
and vulnerable. Additionally, because the security community fails at least
partially to protect those users from the risks of the Internet, they have to
know how to do it themselves. They have to make decisions that require a certain
above-average level of competence. To distinguish good from bad information,
they have to inspect every email, learn not to open suspicious email
attachments, learn how to check for website authenticity, learn how to create
hard-to-break passwords, and so on.